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(57) A method for linl<ing of a first characteristic of a 
first device (PP1 ,PP2) and a second characteristic of a 
second device (NP1,NP2) by a server (S1,AS2) is dis- 
closed. The method comprises the steps of selecting 
(75) a first linking information and a second linking in- 
formation, the first linking Infomriation matching to the 
second linking infomnation, sending (100,150) from the 
server (81 ,AS2) the first linking infonnation to the first 
device (PP1 ,PP2) and the second linking information to 
the second device (NP1 ,NP2), presenting (200,250) by 
the first device (PP1,PP2) the first linking information 
and by the second device (NP1 ,NP2) the second linking 
information, entering (300) into the first device 
(PP1 ,PP2) an indication of the matching of the first link- 
ing information and the second linking Information, and 
based on the entered indication of the matching, send- 
ing (400) to the server (SI , AS2) a matching confirmation 
for confinning the matching to the server (SI ,AS2). and 
associating (450) the first characteristic and the second 
characteristic based on the received matching confirma- 
tion. 
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Description 

[Technical field of the invention] 

[0001] The present invention relates to a method for 5 
linking of a first characteristic of a first device to a second 
characteristic of a second device. The invention also 
concerns a server and a computer program loadable In- 
to a processing unit of a server. 

10 

[Baclcground of the invention] 

[0002] Linking of devices is defined by the achieving 
of an association of one or more characteristics of a first 
device with one or more characteristics of one or more ^5 
further devices. A characteristic allows typically to iden- 
tify a device, however, in a more general sense a char- 
acteristic can relate to any kind of information associat- 
ed with a device. For linking of a first device to a second 
device, one or more characteristics of the first device 20 
are associated to one or more characteristics of the sec- 
ond device. One or more of the associated characteris- 
tics can be determined from the respective devices or 
from further entities knowing the respective character- 
istics. In general, iinking of devices provides extended 25 
information due to the linkage, e.g. by revealing that two 
devices are linked at some point in time. A table may be 
used for the association of characteristics and charac- 
teristics may be different for different Implementations 
of the iinking method. so 
[0003] Linking of devices is increasingly used for au- 
thentication purposes. When trying to access an institu- 
tion like a system or service or device via a non-trusted 
device like a computer terminal or an automatic teller 
machine (ATM) or a door, an institution for that access 35 
is requested to initially does not have knowledge on the 
operator of the non-trusted device. For a lot of situations 
like downloading publicly available information from the 
Internet or entering a public building this lack of knowl- 
edge is not problematic to the institution, i.e. access to ^0 
the institution is provided via the non-trusted devk^e to 
any person that is able to operate the non-trusted de- 
vice. However, for accessing an institution where ac- 
cess restrictions apply, knowledge regarding the legiti- 
mization for access is necessary. This knowledge can 
be e.g. provided by an authentication procedure like ver- 
ifying a user identity and a password entered into the 
non-personal device. Alternatively, linking to a trusted 
device can be used for authentication for granting ac- 
cess, so 
[0004] A trusted device Is a device that is associated 
with an access legitimization as the main characteristic 
of a trusted device. An access legitimization legitimates 
the trusted device to access a particular institution. 
When presenting the trusted device to the particular in- ss 
stitution, the access legitimization achieves that access 
to the particular institution is granted to the trusted de- 
vice. The particular institution or an entity supporting the 



particular institution can have certain criteria to verify the 
access legitimization for granting access. Examples for 
a trusted device are a mobile phone being legitimated 
for accessing a mobile telephone network or a credit 
card being legitimated for accessing a payment service. 
Depending on the trusted device and the processing of 
the verification of the access legitimization, an identity 
of the legitimate owner of the trusted device can be ob- 
tained or it can be proven that that a person operating 
a trusted device is identical to or is authorized by the 
legitimate owner. The respective information may be as- 
sociated with the access legitimization of the trusted de- 
vice. 

[0005] Thus, when requesting access to an institution 
via a non-trusted device, a trusted device with an asso- 
ciated access legitimization can be presented. The as- 
sociated access legitimization can be determined and 
can be associated to a characteristic like an identifier of 
the non-trusted device requesting access to the institu- 
tion. Alternatively, a characteristic of the trusted device 
referring to the access legitimization associated with the 
trusted device can be associated to the characteristic of 
the non-trusted device. The institution to that the access 
legitimization associated with the trusted device legiti- 
mates for access does not necessarily have to be iden- 
tical to the institution to that the non-trusted device re- 
quests access to. Agreements between different institu- 
tions can ensure that an access legitimization legitimat- 
ing for access to a first institution legitimates also for 
access to a second Institution. The associated charac- 
teristics of the trusted and non-trusted device can l^e 
stored in a database for further processing, e.g. for sta- 
tistical, charging or legal purposes. Based on the asso- 
ciated characteristics of the non-trusted and trusted de- 
vice, access can be granted to or via the non-trusted 
device, because now the institution orthe entity support- 
ing the Institution for authentication purpose is provided 
with knowledge on an access legitimization linked to a 
characteristic of the non-trusted device like an identifier 
identifying the non-trusted device. Depending on the 
trusted device and the implementation of the linking 
method. Information about an identity of the legitimate 
owner of the trusted device or a proof that an operator 
of the trusted device is identical to or is authorized by 
the legitimate owner of the trusted device can be ob- 
tained and associated to the respective characteristic of 
the non-tmsted device. Also an identity of the institution 
that is to be accessed can be associated. 
[0006] More secure linking methods require in addi- 
tion to the association of characteristics a proof that a 
first device and a second device that are to be linked 
are located in close proximity. The proof of the close 
proximity is seen as sufficient evidence that the operator 
of the first devtee is identical to or at least authorized by 
the operator of the second devrce. 
[0007] Different solutions exist for proving the close 
proximity that are described in the following: 
[0008] According to a first solution, a local connection 
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between a first device and a second device that are to 
be linked can be used to send linking data fronn a server, 
e.g. a payment or authentication server, via the first de- 
vice and the second device and than back to the server 
or vice versa. A successful round-trip of the linking data 5 
is sufficient proof for the existing local connection and 
thus for the close proximity. Local physical connections 
like cables, docking stations, card readers or local wire- 
less connections with transmission ranges of about less 
than 1 0 meters as provided by Infrared (IR) or Bluetooth 
can be used. 

[0009] According to a second solution, a person man- 
ually transfers linking data from a first device to a second 
device for proving the close proximity. For example, an 
authentication server supporting an institution that is to *5 
be accessed by a non-trusted device sends a randomly 
generated one-time password (OTP) as linking data to 
the trusted device. The person that operates the trusted 
device and the non-trusted device reads the linking data 
and manually types the linking data into the non-trusted 20 
device. As In the first solution, the round-trip of the link- 
ing data is seen as proof for the close proximity. 
[0010] US-6,259,909 describes a round-trip of a code 
word used In a method for secure access by a user to 
a remote system. After an authentication of a first com- 25 
munlcations device by an access device, a code word 
is transmitted from the access device to a second com- 
munrcatlons device. Said code word received by the 
second communications device is further transmitted 
from the second communications device via the first 30 
communications device to said access device which can 
grant to the first and/or second communications device 
access to the remote system after a check for correct- 
ness of the code word received from the first communi- 
cations device. A data processing unit can be used as 35 
first communications device and a mobile phone may 
be used as second communications device. 
[0011] The aforementioned solutions for proving the 
close proximity have disadvantages. A local connection 
requires compatible Interfaces at the devices that are to ^0 
be linked for transferring the data from one device to the 
other device. However, compatibility of Interfaces is very 
often not given thus limiting the applicability of solutions 
based on local connections to a small fragment of a po- 
tential market. This is especially true for local wireless 
connections, because appropriate local wireless inter- 
faces like IR or Bluetooth transceivers are rather seldom 
on devices like personal computers (PCs), worksta- 
tions, ATMs or older mobile phones. Using local physical 
connections requires to physically connect devices that 50 
are to be linked. However, physically connecting devic- 
es is an inconvenient and often even annoying task. 
Simllariy, line-of-sight local wireless connection tech- 
niques like IR require appropriate aligning transceivers 
of devices that are to be linked. Furthermore, replacing 55 
a device by an appropriate further device requires to first 
remove the local connection from the device that is to 
be replaced and to attach the removed local connection 



to the appropriate further device thus increasing the in- 
convenience for the operator. 

[0012] Solutions based on manually transfen-ed link- 
ing data requires the person that operates the first and 
the second device to be active in a sense that the person 
has to read the linking data that is to be transferred man- 
ually from the first device and to type it into the second 
device. In order to prevent to guess the linking data, the 
linking data should not be too short. However, reading 
of a longer sequence from the first device and typing of 
the longer sequence into a second device is not con- 
venient and the probability for mistyping increases with 
the length of the sequence. It is annoying when the link- 
ing Is rejected because of any reading or typing errors. 

[Summary of the invention] 

[0013] It is an object of the present invention to pro- 
vide a method, a device, and a computer program, 
which enable a convenient linking of a first characteristic 
of a first device and a second characteristic of a second 
device. 

[0014] This object is achieved by the method as de- 
scribed in claim 1 . Furthermore, the invention is embod- 
ied in a server as described in claim 9 and a computer 
program loadable into a processing unit of a server as 
described in claim 16. Advantageous embodiments are 
described in the further claims. 

[001 5] For the linking of a first characteristic of a first 
device and a second characteristic of a second device 
by a server the following steps are executed. 
[0016] In a first step, a first linking Information and a 
second linking Information are selected with the require- 
ment that the first linking information and the second 
linking Infomiation match. To this end, the first linking 
information does not necessarily have to be identical to 
the second linking information. 

[0017] Next, the first linking information is sent from 
the server to the first device and the second linking in- 
formation Is sent from the server to the second device. 
[0018] Furthermore, the first linking information is pre- 
sented by the first device and the second linking infor- 
mation is presented by the second device. Presenting 
is to be understood as an output to a person. The output 
by the first device can be different from the output by the 
second device, however, the matching of the first linking 
information and the second linking infomiation must be 
recognizable. Examples for non-identical matching link- 
ing information may be a first linking information being 
complementary or successlonal to a second linking In- 
formation. 

[001 9] After recognizing that the first linking informa- 
tion that is presented by the first devk:e and the second 
linking information that is presented by the second de- 
vice match, an indication of the matching is entered into 
the first device. For example, the operator of the first 
device can press a button on the first device or an ap- 
propriate voice-command can be used for entering the 
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indication of the matching. 

[0020] Based on the entered indication of the match- 
ing, the first device sends to the server a matching con- 
firmation. The matching confimnation confirms to the 
server the matching of the first linking information pre- 
sented by the first device and the second linking infor- 
mation presented by the second device. 
[0021] Based on the received matching confinnation, 
the first characteristic and the second characteristic are 
associated e.g. by correlating the first characteristic and 
the second characteristic in a table. 
[0022] The proposed method enables a convenient 
linking of a first characteristic of first device and a sec- 
ond characteristic of a second device. Comparing of a 
first linking information presented by a first device and 
a second linking infonriation presented by a second de- 
vice and confirming the matching at one of the two de- 
vices according to the present invention requires much 
less action by a person compared to linking methods 
based on manually transferred linking data, because no 
lengthy sequences have to be read from a first device 
and manually typed into a second device. In addition, 
the possibility of mistyping can be completely avoided 
as no linking information has to be typed in making the 
proposed method much more convenient for a person. 
Furthermore, the method according to the Invention 
does not require a local connection between the first de- 
vice and the second device thus rendering compatible 
interfaces and attaching or removing of local connec- 
tions unnecessary while at the same time Increasing the 
applicability. Presenting of matching linking Information 
by the first device and by the second device is further- 
more advantageous, because it frees the operator of a 
first device from being aware of an address of a second 
device that is to be linked to said first device as it is the 
case for linking methods that require to enter or confirm 
an address of said second device at the first device for 
conf inning the linking. However, very often an address 
of a device is not available, e.g. the address is not dis- 
played or cannot be read out, or nriay change temporar- 
ily. Especially for a non-trusted device applies that an 
address is often not available for the operator, thus mak- 
ing the proposed method very suited for linking non- 
trusted devices, e.g. for linking an IP-address and port 
of a first computer temninal as first non-trusted device 
to an IP address and port of a second computer terminal 
as second non-trusted device for establishing a compu- 
ter network comprising the two computer terminals. 
[0023] According to a preferred embodiment, the first 
device is a trusted device and the first characteristic re- 
lates to an access legitimization that legitimates to ac- 
cess a first Institution. Relating means that the first char- 
acteristic comprises the access legitimization and/or an 
identifier from that the access legitimization can be ob- 
tained. An example for an identifier from that an access 
legitimization legitimating for accessing a mobile tele- 
phone network can be obtained is a Mobile Station In- 
tegrated Services Digital Network Number (MSISDN) of 



a mobile phone. The associated characteristics can be 
further processed, e.g. for statistical, charging, or legal 
purpose. 

[0024] According to another preferred embodiment, 
s the second characteristic of the second device conrpris- 
es an identifier identifying the second device. Access to 
a second institution Is granted to or via the second de- 
vice based on the associating of the first characteristic 
relating to the access legitimization and the second 
10 characteristic comprising the identifier. The second in- 
stitution can be Identical to or different from the first in- 
stitution. Agreements can ensure that an access legiti- 
mization for accessing the first Institution legitimates al- 
so for access to the second Institution. Thus, the asso- 
15 elating of the characteristic relating to the access legit- 
imization and the second characteristic comprising the 
identifier for identifying the second device can provide 
the information that the second device is legitimated for 
accessing the second institution. Based on that informa- 
20 tion, access to the second institution can be granted. An 
access assertion may be sent from the server to the sec- 
ond device, to the second institution or a further entity 
supporting the second device or the second institution 
for granting access. The access assertion may com- 
25 prise an access legitimization that legitimates for ac- 
cessing the second Institution whtoh can be e.g. derived 
from the access legitimization that legitimates for ac- 
cessing the first institution. Access to the second insti- 
tution can be e.g. achieved by unlocking the second de- 
30 vice for appropriate usage. 

[0025] According to another preferred embodiment, a 
request for authentication triggers the linking. A request 
for authentication is common for conventional authenti- 
cation methods thus decreasing the implementation ef- 
35 fort when using the proposed linking method for authen- 
tication purpose. Especially If an authentication is re- 
quired for accessing the second Institution, the second 
institution may just send the request for authentication 
and wait for an access assertion before granting access 
40 to the second device as It is the case for conventional 
authentication methods. Accordingly, the second insti- 
tution does not necessarily have to be adapted to the 
particularities of the proposed method thus increasing 
the applicability of the proposed method. 
"^5 [0026] According to another preferred embodiment, 
the first linking information and the second linking infor- 
mation comprise one or more randomly generated sym- 
bols. Randomly generated symbols are beneficial due 
to security reason, because the probability Is reduced 
50 that identical or similar linking infomnation is presented 
in a first linking and in a second linking. Especially, if 
multiple non-trusted devices are located in close prox- 
imity, a person that has to conflmn a matching of linking 
information may get easily confused if the same or very 
55 similar linking infomnation is presented on the multiple 
non-trusted devices In his environment. Furthermore, 
randomly generated symbols are also advantageous, 
because the linking information can be processed in the 
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way of a one-time password which is beneftciai if the 
method according to the present invention is to be com- 
bined with a conventional linking method using one-time 
passwords. Examples for a symbol are a digit, a letter, 
an image, a photo, a picture, or an icon. Advantageous 
for the usage of digits, letters, and/or icons is their easy 
processing and presenting on a device having a simple 
display like it is integrated in a conventional Global Sys- 
tem for Mobile Communication (GSM) mobile phone. 
Another advantage of digits and/or letters is that they 
can be easily converted for an acoustically presentation. 
The presenting of graphics like images, photos, pic- 
tures, and/oricons can be advantageous because aper- 
son usually recognizes more intuitively and faster the 
matching of graphics compared to tetters and/or digits 
making the method more convenient, 
[0027] According to another preferred embodiment, 
the first linking information is identical to the second link- 
ing infomiation. Comparing and confimning the match- 
ing of identical linking information Is typically more con- 
venient compared to comparing and confirming of non- 
identical matching linking information. In addition, the 
usage of identical linking information is easier to imple- 
ment in the server. 

[0028] According to another preferred embodiment, 
the associating of the first characteristic and the second 
characteristic can be based on a verification for correct- 
ness of confirmation data entered Into the first device. 
The entering of confirmation data can be advantageous 
for security reasons, e.g. for making a person more 
aware or for personal authentication. For verification of 
the correctness of the entered confirmation data, the en- 
tered confirmation data has to match to predefined con- 
firmation data. The first device or the server or both can 
execute the verification. If the server verifies the entered 
confimnation data, the confirmation data entered into the 
first device or data produced in the first device based on 
the entered confirmation data is to be sent to the server, 
e.g. included or attached to the matching confirmation. 
The server compares the entered confirmation data or 
the produced data to predefined confimnation data and 
executes the associating of the characteristics if the en- 
tered confirmation data or the produced data, respec- 
tively, matches to the predefined confirmation data. If 
the first device executes the verifk^ation, the first device 
has access to the predefined data that enables the first 
device to verify the entered confirmation data for cor- 
rectness, e.g. the predefined data can be sent from the 
server to the second device or the predefined data can 
be stored on the second device. The first device com- 
pares the entered confinnation data with the predefined 
confirmation data and sends the matching confirmation 
to the server if the entered confinnation data matches 
to the predefined confirmation data. The method may 
be implemented In a way that the sending of the match- 
ing confirmation is an implicit indication for the verifica- 
tion for correctness of the entered confirmation data by 
the first device to the server. Based on the verification 



for correctness, the server can execute the associating 
of the first and the second characteristic. Depending on 
the implementation, the confirmation data may be en- 
tered for indicating the matching of the linking informa- 

5 tion thus reducing the number of steps to be executed. 
[0029] According to a preferred embodiment, the con- 
firmation data comprises at least one of (a) a Personal 
Identification Number, (b) a password, (c) an indication 
for additional infomiation being presented in parallel to 

10 the first linking information orsecond linking Information, 
the additional infomiation being distinguishable from the 
first linking information and the second linking informa- 
tion, and (d) data being computed on the base of the 
first linking information and/or the second linking infor- 

15 mation. An entered Personal Identification Number 
(PIN) allows to personally authentteate the person that 
cun-ently operates the first device and is especially ad- 
vantageous to avoid unauthorized usage e.g. by pre- 
venting a thief to use a stolen device for a linking ac- 

20 cording to the Invention. A password can be used in the 
same manner, but it may be easier to remember than a 
PIN. Presenting of the additional infomiation in parallel 
to the first linking information or the second linking in- 
formation may force the operator to thoroughly study the 

25 presented information in order to recognize the match- 
ing thus making the proposed method more secure. In 
addition, an indication for the additional information can 
be very short and easy to enter, e.g. by a digit or letter 
indicating the additional information. An alternative so- 

30 lution is entering of data being computed on the base of 
the first linking information and/or the second linking In- 
formation that also increases the awareness of the per- 
son and thus makes the method more secure. Also, 
some persons may find the proposed linking method at- 

35 tractive just because of the computing step that requires 
the person to think for the correct answer, i.e. the correct 
confirmation data. 

[0030] The present invention also concems a server 
in order to implement the method as described above. 

40 [0031] The server can be used for linking of a first 
characteristic of a first device and a second character- 
istic of a second device. The sen/er comprises a receiv- 
ing unit for receiving messages, a transmitting unit for 
sending messages, and a processing unit for process- 

45 ing messages and information. The processing unit is 
adapted to select a first linking information and a second 
linking information. The first linking information matches 
to the second linking information. The transmission unit 
is adapted to send the first linking information to the first 

50 device and the second linking infomiation to the second 
device. The receiving unit is adapted to receive a match- 
ing confirmation from the first devk:e with the matching 
confirmation confirming to the processing unit the 
matching of the first linking infomiation presented by the 

55 first device and the second linking information present- 
ed by the second device. The processing unit Is adapted 
to execute an associating of the first characteristte and 
the second characteristic based on the received match- 
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ing confirmation. 

[0032] According to a preferred embodiment, the first 
device is a trusted device and the first characteristic re- 
lates to an access legitimization legitimating the trusted 
device for accessing a first institution. 
[0033] According to another preferred embodiment, 
the second characteristic comprises an Identifier identi- 
fying the second device and. based on the associating 
of the first characteristic relating to the access legitimi- 
zation and the second characteristic comprising the 
Identifier, the processing unit is adapted to generate an 
access assertion for granting to or via the second device 
access to a second institution being identical or different 
from the first institution, and the transmission unit Is 
adapted to send the access assertion to the second de- 
vice or the second Institution or to an entity supporting 
the second device or the second Institution for granting 
access. 

[0034] According to another preferred embodiment, 
the receiving unit is adapted to receive a request for au- 
thentication triggering the processing unit to execute the 
linking. 

[0035] According to another preferred embodiment, 
the processing unit is adapted to select the first linking 
infomriation and the second linking information to com- 
prise one or more randomly generated symbols. 
[0036] According to another preferred embodiment, 
the processing unit is adapted to select the first linking 
infonnation being Identical to the second linking infor- 
mation. 

[0037] According to another preferred embodiment, 
the processing unit is adapted to execute the associat- 
ing of the first characteristic and the second character- 
istic based on a verification for correctness of confirma- 
tion data entered into the first device. 
[0038] The present invention also concerns a compu- 
ter program comprising portions of software codes in or- 
der to implement the method as described above when 
operated on a server. The computer programs can be 
stored on a computer readable medium. The computer- 
readable medium can be a permanent or rewritable 
memory within a server or located externally. The re- 
spective computer program can be also transferred to 
a server for example via a cable or a wireless link as a 
sequence of signals. 

[0039] The computer program can be used for linking 
of a first characteristic of a first device and a second 
characteristic of a second device. The computer pro- 
gram can be loaded into a processing unit of a server 
and comprises code adapted to select a first linking in- 
formation and a second linking Information. The first 
linking information matches to the second linking infor- 
mation. The computer program comprises code adapt- 
ed to initialize a sending of the first linking information 
to the first device and a sending of the second linking 
infonnation to the second device and to execute an as- 
sociating of the first characteristic and the second char- 
acteristic based on a matching confirmation received 



from the first devfce with the matching confirmation con- 
firming to the computer program the matching of the first 
linking infomiatlon presented by the first devk:e and the 
second linking information presented by the second de- 

5 vice. The computer program can be used In all embod- 
iments of the method as described. 
[0040] In the following, detailed embodiments of the 
present invention shall be described in order to give the 
skilled person a full and complete understanding. How- 

10 ever these embodiments are illustrative and not intend- 
ed to be limiting, as the scope of the invention is defined 
by the appended claims. 
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[Brief description of the drawings] 
[0041] 

Fig. 1 a shows a flowchart diagram of a first embodi- 
ment of the present invention; 

Fig. lb shows examples of processes and messag- 
es between devices according to the first em- 
bodiment of Fig. 1a; 



25 Fig. 2 shows an operator, devices and messages 
between devices of a second embodiment of 
the present invention; 

Fig. 3a shows a table comprising a first set of exam- 
30 pies of presentations by a trusted and on a 

non -trusted device; 

Fig. 3b shows a table comprising a second set of ex- 
amples of presentations by a trusted and on 
35 a non -trusted device. 

[Detailed description of the invention] 

[0042] Figure 1 a shows a flowchart diagram of a first 

40 embodiment of the present Invention in which a request 
50 for linking triggers the following steps of the method. 
Fig. 1 b shows examples of processes and messages 
between devices, i.e. a first device PP1 and a second 
device NP1 that are to be linked and a server S1, for 

45 carrying out the method according to the flow-chart de- 
picted in Fig. 1a. In the following, Fig. 1a and 1b are 
described In parallel. Identical references in Fig. la and 
1b describe corresponding features. 
[0043] According to Fig. la, the first embodiment 

50 starts with a request 50 for linking. The request 50 for 
linking may originate from an entity being external to the 
server SI or by the server S1 itself. The request 50 for 
linking can be sent from the second device NP1 to the 
server SI by a request message 51 as depicted in Fig, 

55 ib. The request 50 for linking triggers the server SI to 
link the first device PP1 and the second devk:e NP1 by 
associating a first characteristic of the first device PP1 
and a second characteristic of the second device NP1 . 
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In the request message 51 , the server SI can be pro- 
vided with an address of the second device NP1 . Fur- 
thermore, the request nnessage 51 can connprise an ad- 
dress of the first device PP1 . Subsequently, the server 
S 1 selects 75 the first linking information and the second 
linking information. Furthermore, the server SI sends 
100 the first linking information via message 101 to the 
first device PP1 and sends 1 50 the second linking Infor- 
mation via message 151 to the second device NP1. 
Subsequently, the first linking infomnation is presented 
200 by the first device PP1 and the second linking infor- 
mation is presented 250 by the second device NP1 . Af- 
ter comparing the presented linking infomnation and rec- 
ognizing that the presented information match, the per- 
son that operates the first device PP1 executes an en- 
tering 300 of an indication of the matching into the first 
device PP1 . Preferably, a request is output by the first 
device PP1 for the entering 300 of the indication of the 
matching and if tighter security requirements apply also 
for entering 350 of confirmation data like a PIN into the 
first device PP1 . According to the present example, the 
entered conflmnation data is verified by the first device 
PP1 for correctness. The entering 300,350 of the indi- 
cation of the matching and of the correct confimriation 
data triggers the sending 400 of a matching confirmation 
from the first device PP1 to the server SI via message 
401 . The matching confirmation confinns the matching 
of the first linking information that is presented on the 
first device PP1 and the second linking information that 
is presented on the second device NP1 and additionally 
provides the server SI with information that the operator 
of the first device PP1 has been personally authenticat- 
ed by entering the correct PIN. Furthermore, the server 
SI is provided by the received matching information with 
a proof of the close proximity of the first device PP1 and 
the second device NP1 such that the server SI can as- 
sume that the person operating the second device NP1 
is Identical to or at least being authorized by the person 
operating the first device PP1. Based on the received 
matching confirmation, an associating 450 of a first 
characteristic of the first device PP1 and a second char- 
acteristic of the second device NP1 can be executed by 
the server SI . Which characteristics are to be associat- 
ed 450 may be indicated in the request 50 for linking. 
Additional determination steps may be executed to de- 
termine appropriate characteristics that are to be asso- 
ciated. A suitable example is to associate an address of 
the first device PP1 and an address of the second device 
NP2, e.g. the addresses that are known to the server 
S1 for sending 100,150 the linking information. Based 
on the associating 460 of the first characteristic and the 
second characteristic, a linking assertion can state the 
successful linking of thetwo devices PP1 ,NP1 . The link- 
ing assertion may be sent 501 to the second device as 
response to the request 50 for linking. 
[0044] When using as first device PP1 a trusted de- 
vice, additional verification steps may be advantageous 
that are not shown in Fig.1 . In this case, the server may 



verify the access legitimization of the personal device 
for executing the linking, e.g. before sending the linking 
information to the respective devices. Especially, if ac- 
cess to an institution is requested for or via the second 

5 device NP1, it can be checked if appropriate agree- 
ments exist allowing to access the institution by or via 
the second device NP1 based on the access legitimiza- 
tion of the trusted device. For example, it can be 
checked if an access legitimization of a mobile phone 

10 legitimating the mobile phone for accessing a mobile tel- 
ephone system like a GSM or Universal Mobile Tele- 
communication System (UMTS) legitimates also for ac- 
cessing an Internet service as example for the institution 
to that access is requested to via a computer terminal 

IS as example for a second device. By associating a first 
characteristic relating to the access legitimization of the 
first device, e.g. a mobile phone number as first charac- 
teristic, and a second characteristic that allows to iden- 
tify the second device, access for or via the second de- 

20 vice to the institution can be granted. 

[0045] For using the method as described in conjunc- 
tion with Fig. la for authentication purpose, it is advan- 
tageous to replace the request 50 for linking and the link- 
ing assertion 500 by an appropriate request for authen- 

25 tication and an authentication assertion, respectively, 
and using as first device PP1 a trusted device. The re- 
quest for authentication may be sent via message 51 to 
the server 81 . The steps 75-450 and corresponding 
processes and messages 75-450 can be executed as 

30 explained In conjunction with Fig. 1 . Based on the link- 
ing, the authentication assertion can be sent for granting 
access. For example, the authentication assertion may 
be sent via message 501 to the second device effecting 
e.g. an unlocking of the second device NP1 for getting 

35 access. 

[0046] In general applies for the first and second de- 
vice the following: for receiving the first linking informa- 
tion at the first device, the first device is equipped with 
a first receiving unit and for receiving the second linking 

40 infomnation by the second devk^e, the second device is 
equipped with a second receiving unit. For presenting 
the first linking information by the first device, the first 
device is equipped with a first output unit and for pre- 
senting the second linking information by the second de- 

45 vice, the second device is equipped with a second out- 
put unit. Examples for an output unit are a display, a 
loudspeaker, or a printer, or a device that allows pre- 
senting of linking infomnation by embossed symbols. 
The second device can be equipped with an input unit 

50 like a keypad or microphone for triggering the linking 
method e.g. by a recmpst for authentication or linking. 
For the entering of me indication of the matching and 
the confirmation data If applicable, the first device is 
equipped with an Input unit like a keypad, microphone, 

55 or touch-screen . 

[0047] One or more of the aforementioned units for 
the first device and/or the second device may be remov- 
able. The fact that the first device and/or the second de- 
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vice do not necessarily need to have an Integrated re- 
ceiving unit, transmission unit, input unit and/or output 
unit makes the proposed method much more flexible, e. 
g. as trusted device a credit card can be used inserted 
into a device similar to a card reader having in addition s 
an input and output unit and a receiving and transmis- 
sion unit as explained before. Furthermore, a presenting 
of linking Information by a loudspeaker or In Brallte 
makes the proposed method also easily operable by 
blind persons. io 
[0048] In the following examples for trusted devices 
are described that may be used In the proposed linking 
method: firstly, a trusted device that legitimates for ac- 
cess to an institution without revealing an identity of the 
legitimate owner of the trusted device: according to this is 
first example, one or more characteristics associated 
with the trusted device that are determinable by the in- 
stitution when presenting the trusted device for getting 
access do not allow to identify the legitimate owner. To 
this end, a trusted device according to the first example 20 
can be provided to the legitimate owner without associ- 
ating an identity of the legitimate owner to said one or 
more detemiinable characteristics. An example for such 
a trusted device is a ticket that legitimates for accessing 
an institution by revealing as access legitimization a 25 
name of said institution and a serial number not being 
associated with an identity of the legitimate owner. Sec- 
ondly, a trusted device that legitimates for access to an 
institution which allows to obtain an identity of the legit- 
imate owner; according to the second example, at least 30 
one of the characteristics of the trusted device determi- 
nable the institution Is associated with an identity of the 
legitimate owner. Said identity can be stored at the trust- 
ed device, at the institution, and/or a further entity ac- 
cessible by the institution. When said identity is stored 35 
at the Institution and/or at the further entity, the trusted 
device has to be uniquely identifiable by the institution 
in order to obtain the identity of the legitimate owner. 
Thirdly, a trusted device that legitimates for access to 
an institution allowing a personal authentication, i.e. It 40 
is possible to prove that the person that operates the 
trusted device is identical to or is authorized by the le- 
gitimate owner, A secret like a Personal Identification 
Number (PIN) personally issued to the legitimate owner 
or a user identity - password mechanism or personal in- ^s 
fonnation uniquely relating to the legitimate owner like 
a signature or photo can be used for personal authenti- 
cation when presenting the trusted device for getting ac- 
cess. Authorization by the legitimate owner can be 
achieved by providing said secret to a further person so 
that enables the further person to access the institution 
when presenting the trusted device. Examples for trust- 
ed devbes allowing personal authentication are a credit 
card in combination with a signature or a GSM mobile 
phone in combination with a PIN. 55 
[0049] For linking of a trusted device, it depends on 
the trusted device and the processing of characteristics 
determinable by the server for the linking If Information 



about the legitimate owner as explained before is pro- 
vided to the server. If infomnation about the legitimate 
owner is detemninable, this infomnation can be used In 
the associating step. As a general rule, for tighter secu- 
rity requirements a higher example number of trusted 
device is preferably used. In addition, a trusted device 
can be associated with characteristics like the date of 
Issue, the date of expiry, or a value associated with trust- 
ed device that can be considered e.g. forthe linking and/ 
or for granting access. 

[0050] Fig. 2 shows a second embodiment of the pro- 
posed method. A person A2 that operates a trusted de- 
vice depicted as mobile phone PP2 and a non-trusted 
device depicted as a computer terminal NP2 wants to 
access via the computer terminal NP2 a service provid- 
ed by a server SP2 in the Internet. The computer termi- 
nal NP2 sends a request SR for service access to the 
server SP2 providing the servtee in the Internet, The 
server SP2 recognizes that an authentication is required 
for the requested service. The server SP2 can respond 
to the computer terminal NP2 with an authentication re- 
quest message ARM1 asking for authentication, e.g. by 
asking to enter a MSISDN number. The person A2 en- 
ters the MSISDN number of the mobile phone PP2 into 
the computer terminal NP2 and sends in an authentica- 
tion response message ARM2 the entered MSISDN 
number to the server SP2. The authentication response 
message ARM2 can carry also the address of the com- 
puter terminal NP2 like an Internet Protocol (IP) address 
and a port number. Based on the received authentica- 
tion response message ARM2, the server SP2 sends a 
request RA for authentrcation to the server AS2. Accord- 
ing to the present example, the request RA comprises 
the MSISDN number of the mobile phone PP2, the IP 
address and port number of the computer terminal NP2 
and an IP address and port number of the server SP2. 
Optionally, an identifier or a name of the service and/or 
service provider and the time the request SR for servk:e 
was received at the server SP2 can be included into the 
request RA. Triggered by the request RA, the server 
AS2 proceeds as follows: The server AS2 accepts the 
received MSISDN number as being legitimated for ac- 
cess to a mobile telecommunication system. Based on 
an analysis of the MSISDN numberthe server AS2 may 
also detect that the MSISDN number corresponds to a 
particular network operator. According to the present ex- 
ample, the server AS2 checks if the access legitimiza- 
tion according to the MSISDN number legitimates also 
for access to the service provided by the server SP2, e. 
g. according to an appropriate agreement made in ad- 
vance or on request or by assuming an implicit agree- 
ment due to the fact that the server SP2 sends the MSIS- 
DN number in the request message 51 . If personal au- 
thentication is required, the server AS2 may in addition 
obtain an identity of the legitimate owner of the MSISDN 
number, e.g. name and address of the person A2 pre- 
senting the mobile phone PP2 as trusted devtee. 
[0051] After accepting the MSISDN number of the 
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mobile phone PP2 and the approval of the associated 
access legitimization, the server AS2 proceeds with the 
linking by selecting a first and a second linking informa- 
tion. According to the present example, the server AS2 
selects and sends an identical sequence of pictures to 5 
the mobile phone PP2 and to the computer terminal 
NP2. The linking information for the computer terminal 
NP2 is sent in a message LIA1 to the server SP2 which 
further sends the linking information for the computer 
temiinal NP2 via message LIA2 to the computer termi- io 
nal NP2 where the linking information is presented on 
the computer screen as shown by the screen image 
DIN. The linking information for the mobile phone PP2 
is sent in a message LIB, e.g. via Short Message Serv- 
ice (SMS) or Multimedia Messaging Service (MMS) or is 
WAP (Wireless Application Protocol) push, to the mobile 
phone PP2. The linking information is presented on the 
display of the mobile phone PP2 as shown by the screen 
image DIP. The method becomes more convenient and 
more secure, if the linking information presented on the 
mobile phone PP2 is presented in parallel with a request 
like 

"Dear [Name of person]. 

You want to access the service [Name of service] at 
[Time of service request]. Please confirm the matching 2s 
of the linking information presented on your mobile 
phone and your non-trusted device [Address] by press- 
ing the YES button on your mobile phone followed by 
entering your PIN." 

[0052] The aforementioned request text includes en- 30 
tries given in brackets. These entries like the name of 
the person A2, the name of the service, the time of serv- 
ice request, and an address of the non-trusted device 
can be included into the message LIB and thus provided 
to the mobile phone PP2 for presentation if the server 35 
AS2 has this information available as explained before. 
[0053] If the linking information In the fomn of a se- 
quence of pictures presented on the display of the mo- 
bile phone PP2 and on the screen of the computer ter- 
minal NP2 is identical and thus matches, the person A2 
presses the "YES" button on the mobile phone PP2 and 
enters his PIN forconfinnation of the matching. For the 
case that the infomnation that is presented by the mobile 
phone PP2 and the information presented by the com- 
puter terminal NP2 do not match, a possible attack may 
be going on. In this case, the confirmation of the match- 
ing can be denied and thus the linking procedure can 
be terminated, e.g. by pressing "NO" or by entering a 
wrong PIN. According to the present example, the link- 
ing information matches and a matching confirmation is so 
sent via a matching conf imnation message MC from the 
mobile phone PP2 to the server AS2. Based on the re- 
ceived matching confimiation, the server AS2 links the 
computer terminal NP2 and the mobile phone PP2 by 
associating e.g. the address of the computer terminal ss 
NP2 with the MSIDN number of the mobile phone PP2 
and provides the server SP2 with an authentication as- 
sertion message AA comprising an authentication as- 



sertion. Based on the authentication assertion, the serv- 
er SP2 can grant service access SA to computer-termi- 
nal NP2 for the person A2. If available or requested, the 
server AS2 may provide personal information related to 
the person A2 like the name and/or the address and/or 
a credit card number to the server SP2. The server SP2 
can store the provided personal infonnation in a data- 
base, e.g. for charging or statistically purposes or legal 
reasons. 

[0054] The embodiment of Fig. 2 uses a computer ter- 
minal as non-trusted device. However, the embodi- 
ments described In conjunction with Fig. 1a,1b, and 2 
with a non-trusted device being for example a personal 
digital assistant (PDA), a workstation, a notebook, an 
ATM, a physical access unit like a door or a physical 
control device like a steering wheel. 
[0055] In Fig. 3a a table Is shown with examples of 
matching linking information presented by a trusted de- 
vice as an example for a first device and a non-trusted 
device as an example for a second device. The Individ- 
ual examples of linking information are indicated by 
identifying numbers (IDs). Identical sequences of digits 
1 a, of letters 2a, of icons 3a, of pkrtures 4a, and of a 
combination of letters and digits 5a are shown as exam- 
ples for identical linking infomnation. However, as stated 
earlier, matching linking information does not necessar- 
ily have to be Identical. Examples for non-identical 
matching linking information are given in the examples 
Sato 11a. Examples 6a and 7a reveal examplesfor suc- 
cessional matching linking information for sequences of 
digits and letters, respectively, i.e. sequences starting 
on the trusted device are continued on the non-trusted 
device or vice versa. 8a and 9a show examples for com- 
plementary matching linking information where a first 
sequence of icons is presented by the trusted device 
and a second sequence of icons identical to the first one 
but with reversed color is presented by the non-trusted 
device. 1 0a is an example for a computational matching 
linking infonnation, I.e. the linking information presented 
by the non-trusted device can be computed by the link- 
ing infomnation presented by the trusted device or vice 
versa. Example 11a shows a sequence of pictures pre- 
sented by the non-trusted device. The linking informa- 
tion presented by the trusted device is a sequence of 
names matching the sequence of pictures in text format. 
An implementation according to example 11a may be 
very useful if only one of the devices supports the pres- 
entation of pictures. It can be therefore advantageous 
to provide to the trusted device or to the non-trusted de- 
vbe or both a variety of formats of the linking information 
from that the format best suited can be selected for in- 
creasing the probability for presenting the linking infor- 
mation . Another example for non-identical matching in- 
formation not shown in Fig. 3a Is a puzzle, wherein one 
or more first parts of the puzzle can be presented by the 
trusted device and one or more further parts of the puz- 
zle can be presented by the non-trusted device. 
[0056] Comparing and recognizing of a matching of 
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graphical linking information lilce pictures, images, or 
icons can be easier for a person than of non-graphical 
linking Infomriation like digits or letters making the pro- 
posed method based on graphical linking information 
more convenient but also more secure as the probability 5 
for an erroneous recognition of the matching is de- 
creased. As an example for a set of 100 Icons, a se- 
quence of 3 randomly chosen icons as linking informa- 
tion allows for 1,000,000 different sequences what 
makes the proposed method sufficiently secure on the io 
one hand. On the other hand, a sequence of 3 teons is 
very easy and fast to compare compared to e.g. a se- 
quence of six digits, which also allows for 1 ,000,000 dif- 
ferent sequences. 

[0057] Fig. 3b is used to explain how an entering of 
the indication of the matching can be executed and how 
an entering of confirmation data into the trusted device 
as an example for the first device can be performed. For 
this reason, examples for matching linking information 
presented by the trusted device and by a non-trusted 20 
device as example for the second device are shown. 
The presented matching linking information is supple- 
mented by additional information presented in parallel 
to the respective matching linking information on one of 
the devices. For recognizing the matching of the first 25 
linking information and the second linking Information, 
the additional information should be clearly distinguish- 
able from the matching linking information, e.g. accord- 
ing to the examples 1 b-1 Ob as explained in the following. 
For entering of an indication for the matching and/or the 30 
entering of conflmnation data, an appropriate request 
may be presented by at least one of the devices that are 
to be linked. The entering of the indication for matching 
and for the confimiation data can be combined. 
[0058] According to the first example in 1 b, the match- 3S 
ing linking information is given by a sequence of digits 
"123456" on both devices and the additional information 
by a sequence of Latin letters "ABCDEF" and sequence 
of Greek letters 'V6t)pt5". The information as presented 
on the trusted device is numbered and matching of the ^0 
linking Information can be confirmed by typing in "2" into 
the trusted device for indicating that the information 
numbered "2" presented by the trusted device is the link- 
ing information that matches to the linking information 
presented by the non-trusted device. Alternatively, a 
pointing device like a mouse can be used for "clicking" 
on the linking information orthe corresponding identifier, 
i.e. number "2" according to the present example. Also 
a vocal entering is possible for indicating the matching. 
[0059] 2b shows a corresponding presentation of so 
matching linking information, i.e. "ABCDEF", and addi- 
tional information, i.e. "45T698" and "$rt%t2", with the 
additional information now being presented by the non- 
trusted device. As identifiers for the matching linking in- 
formation letter "A" and for the additional Information let- ss 
ters "B" and "C" are used. According to this example, an 
indication of the matching may be executed by entering 
"A" into the trusted device. 



[0060] According to the example in 1 band 2b, the en- 
tering of the indication of the matching can be also made 
by trivial means without further making usage of the ad- 
ditional information presented to the person, e.g. by 
pressing "YES". An additional confirmation step can re- 
quest the entering of "2" or "A" as confirmation data ac- 
cording to example 1b or 2b, respectively. 
[0061] Both examples 1 band 2b increase the com- 
plexity for the benefit of an increase of the security of 
the method. The person that operates the trusted device 
cannot just achieve the linking of the trusted devkse and 
the non-trusted device just by pressing a button or by 
other trivial means. Instead, he is forced to thoroughly 
compare the Infomiation presented by both devices and 
to make the right choice for the entering. 
[0062] in the following examples 3b to 10b, the digit 
"0" represents additional infonnation that can be easily 
distinguished from the matching linking information ac- 
cording to the present examples. The additional infor- 
mation can be e.g. presented separately from the linking 
information by the trusted device according to examples 
8b to 1 0b or presented separately from the linking infor- 
mation by the non-trusted device according to the ex- 
amples 4b to 7b or comprised in the linking information 
as depk^ted according to example 3b for additional in- 
formation comprised In the linking information by the 
trusted device Additional information comprised in the 
linking information presented by the non-trusted device 
is also possible but not shown in Fig. 3b. 
[0063] According to the examples 3b to 1 0b, an indi- 
cation of the matching can be made, e.g. by pressing 
the "YES" button, and than to enter confirmation data, 
i.e. the additional Infonnation "0" according to the exam- 
ples 3b to 10b. 

[0064] In 11b, identical linking information In form of 
a mathematical equation "3-1-5 ^ T is presented by both 
devices. The correct result "8" can be entered as con- 
firmation data. 

[0065] Alternatively, the indication for the matching in 
the examples 3b to 1 0b and lib can be combined with 
the entering of confirmation data e.g. by requesting to 
Indicate the matching by entering the additional infor- 
mation , i .e . "0" and "8" for the examples 3b- 1 0b and lib, 
respectively. This implementation has the advantage 
that reduced action by the operator of the trusted device 
Is required, e.g. pressing the "YES" button can be left 
out. 

[0066] The above embodiments admirably achieve 
the objects of the invention. However, It will be appreci- 
ated that departures can be made by those skilled in the 
art without departing from the scope of the invention 
which is limited only by the claims. 



Claims 

1 . A method for linking of a first characteristic of a first 
device (PP1 ,PP2) and a second characteristic of a 
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second device (NP1 ,NP2) by a server (S1 .AS2), the 
method comprising the steps of: 

selecting (75) a first linking information and a 
second linking information, the first linking in- 5 
formation matching to the second linking infor- 
mation, 

sending (1 00, 1 50) from the server (S1 ,AS2) the 
first linking information to the first device 
(PP1 ,PP2) and the second linking information io 
to the second device (NP1 ,NP2), 
presenting (200,250) by the first device 
(PP1,PP2) the first linking information and by 
the second device (NP1 ,NP2) the second link- 
ing information. is 
entering (300) into the first device (PP1,PP2) 
an indication of the matching of the first linking 
Information and the second linking Infomiation, 
based on the entered indication of the match- 
ing, sending (400) to the server (S1,AS2) a 
matching confirmation for confirming the 
matching to the server (S1 ,AS2), 
associating (450) the first characteristic and the 
second characteristk: based on the received 
matching confirmation. 25 

2. The method according to claim 1 , wherein the first 
device (PP1,PP2) is a trusted device and the first 
characteristic relates to an access legitimization le- 
gitimating the trusted device for accessing a first in- 30 
stitution. 

3- The method according to claim 2, wherein the sec- 
ond characteristk; comprises an identifier identify- 
ing the second device (NP1 ,NP2) and access to a 35 
second Institution is granted to or via the second 
device (NP1 ,NP2) based on the associating (450) 
of the first characteristic relating to the access legit- 
imization and the second characteristic comprising 
the Identifier, the second Institution being identical 40 
to or different from the first Institution. 

4, The method according to any of the preceding 
claims, wherein a request for authentication triggers 
the linking. 

5, The method according to any of the preceding 
claims, wherein the first linking information and the 
second linking information comprise one or more 
randomly generated symbols. 50 

6. The method according to any of the preceding 
claims, wherein the first linking infomiatlon Is iden- 
tical to the second linking infomriatlon. 

55 

7. The method according to any of the preceding 
claims, wherein the associating (450) is based on a 
verification for con^ectness of confirmation data en- 
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tered into the first device (PP1 ,PP2). 

8. The method according to claim 7, wherein the en- 
tered confirmation data comprises at least one of 

(a) a Personal Identification Number, 

(b) a password, 

(c) an indication for additional information being 
presented in parallel to the first linking informa- 
tion or second linking information, the addition- 
al infomriation being distinguishable from the 
first linking infomiation and the second linking 
Infomiation, and 

(d) data being computed on the base of the first 
linking information and/or the second linking in- 
formation. 

9. A server (S1 ,AS2) usable for linking of a first char- 
acteristic of a first device <PP1 ,PP2) and a second 
characteristic of a second device (NP1,NP2), the 
server (S1 ,AS2) comprising a receiving unit for re- 
ceiving messages, a transmitting unit for sending 
messages, and a processing unit for processing 
messages and information, wherein the processing 
unit is adapted to select a first linking information 
and a second linking information, the first linking In- 
formation matching to the second linking informa- 
tion, the transmission unit is adapted to send the 
first linking information to the first device (PP1 ,PP2) 
and the second linking information to the second 
device (NP1 ,NP2), the receiving unit is adapted to 
receive a matching confirmation from the first de- 
vtee (PP1 ,PP2), the matching confirmation confirm- 
ing to the processing unit the matching of the first 
linking information presented by the first devk:e 
(PP1,PP2) and the second linking infomiation pre- 
sented by the second device (NP1 ,NP2), and the 
processing unit is adapted to execute an associat- 
ing (450) of the first characteristic and the second 
characteristic based on the received matching con- 
fimriatjon. 

10. The server (S1 ,AS2) according to claim 9, wherein 
the first device (PP1 ,PP2) is a trusted device and 
the first characteristic relates to an access legitimi- 
zation legitimating the trusted device for accessing 
a first institution. 

1 1 . The server (S1 ,AS2) according to claim 1 0, wherein 
the second characteristic comprises an Identifier 
identifying the second device and, based on the as- 
sociating (450) of the first characteristic relating to 
the access legitimization and the second character- 
istk: comprising the identifier, the processing unit Is 
adapted to generate an access assertion for grant- 
ing to or via the second device (NP1 ,NP2) access 
to a second institution being identical or different 
from the first institution, and the transmission unit is 
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adapted to send the access assertion to the second 
device {NP1 ,NP2) or the second Institution or to an 
entity supporting the second device (NP1 ,NP2) or 
the second institution for granting access. 

5 

12. The server (S1 ,AS2) according to any of the clalnDS 
9 to 11 , wherein the receiving unit is adapted to re- 
ceive a request for authentication triggering the 
processing unit to execute the linking. 

10 

13. The server (S1 ,AS2) according to any of the claims 
9 to 12, wherein the processing unit Is adapted to 
select the first linking information and the second 
linking infonnation to comprise one or more ran- 
domly generated symbols. is 

14. The server (S1 ,AS2) according to any of the claims 
9 to 13, wherein the processing unit Is adapted to 
select the first linking Infomnation being identical to 

the second linking information. so 

15. The server (SI ,AS2) according to any of the claims 
9 to 14, wherein the processing unit is adapted to 
execute the associating (450) of the first character- 
istic and the second characteristic based on a ver- 
ificatlon for correctness of conflnnatlon data en- 
tered into the first device (PP1 .PP2). 

16. A computer program usable for linking of a first 
characteristic of a first device (PP1 ,PP2) and a sec- 30 
ond characteristic of a second device (NP1,NP2), 

the computer program being loadable Into a 
processing unit of a server (S1,AS2), wherein the 
computer program comprises code adapted to se- 
lect a first linking infonnation and a second linking 35 
information, the first linking Infomiation matching to 
the second linking infonnation, to initialize a send- 
ing of the first linking infonnation to the first device 
(PP1,PP2) and a sending of the second linking in- 
formation to the second device (NP1 ,NP2), and to 40 
execute an associating (450) of the first character- 
istic and the second characteristic based on a 
matching confirmation received from the first device 
(PP1 ,PP2), the matching confirmation confirming to 
the computer program the matching of the first link- 
ing information presented by the first device 
(PP1 ,PP2) and the second linking information pre- 
sented by the second device (NP1,NP2). 
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